FEATURES & COMMENTARY
Washington, D.C. — With President-elect George W. Bush striding toward the White House, national security experts are preparing for what could be a major change in the way the government and the private sector organize to defend against cyberattacks.
Clinton administration officials and other national cybersecurity experts say Bush plans to appoint an IT “czar” by next summer to better manage the government’s IT investments. That move, say experts, will likely involve reorganizing the federal critical infrastructure protection effort and possibly changing the role of the FBI’s National Infrastructure Protection Center.
Changes to NIPC could include asking Congress for new legislation to make it easier for the national security community to get access to investigative information, making NIPC subordinate to a federal IT czar or security officer, or starting from scratch with a different type of organization, according to sources.
The primary driver behind calls for such changes is the lack of a trip wire that would tip off intelligence and national security agencies to cyberattacks by a nation or terrorist group. Because of privacy restrictions, almost all cyberattacks are initially treated as law enforcement investigations, preventing national security agencies from gaining access to the data.
“NIPC has a fundamental inability to communicate with the rest of the national security community,” said a Clinton administration official. “This may not be the way you want to organize in the future.”
Established in 1998 and based at FBI headquarters in Washington, NIPC is intended to serve as the government’s focal point for investigating and responding to attacks against critical infrastructures such as the nation’s electric power grid. It shares intrusion, threat and warning data with the government and the private sector through a secure alert network called InfraGuard.
However, NIPC has repeatedly come under fire for its perceived unwillingness to share information on investigations and its failure to broadcast timely warnings during the “I Love You” virus outbreak in May.
“We haven’t always done that well, but I think we’re getting much better at it,” said Les Wiser, a section chief and investigator at NIPC, who spoke last week at the Defending Cyberspace 2000 conference in Washington. “We oftentimes can’t tell if [an attack] is a criminal matter or a foreign intelligence matter.”
“Despite taking an incredible amount of flack, I think it’s becoming increasingly effective in its role,” said Robert Miller, deputy director of the Critical Infrastructure Assurance Office at the U.S. Department of Commerce. “If you don’t have them, you would have to reinvent them.”
Still, there are “some real issues” surrounding NIPC, he said. For example, “there is some confusion about NIPC’s role,” with some seeing it as a law enforcement agency and others as a national threat-and-warning center, he said.
U.S. Navy Capt. Robert West, deputy commander of the Pentagon’s Joint Task Force for Computer Network Defense, said that, by definition, all attacks are criminal first and acts of war second. “For us, it really does become cumbersome,” said West.
Aside from the privacy issues, creating a national security trip wire is difficult, said Richard Hunter, an analyst at Stamford, Conn.-based Gartner Group Inc. and a former National Security Agency analyst.
“It’s entirely possible for attacks to go undetected for weeks and months,” said Hunter. “Intent typically is something that you judge from what has been done. Even after an intrusion has been detected, it can take some time to determine what has been done.”
However, Ken Watson, co-chairman of the coordinating committee of the National Partnership for Critical Infrastructure Security (NPCIS), acknowledged that the entire effort needs a “more coordinated” approach.
The problem has been that the government has little or no ownership of the infrastructure, limited jurisdiction and limited intelligence capabilities, said Watson, who’s also manager of critical infrastructure protection at Cisco Systems Inc. in San Jose.
Although the critical-infrastructure protection effort will continue to move forward, “it will probably look different,” said Watson.
“I would not be surprised if the organizational structure changed,” said Tim Atkin, a member of an NPCIS working group and director of critical infrastructure protection at consulting firm SRA International Inc. in Fairfax, Va. “I hope that [the] new administration understands the concerns of industry that this issue [should] not be turned into solely a law enforcement issue or a defense issue. What has been important this past year is the understanding that industry is part of the solution and that national security equals economic security.”